Language: Deutsch · English
Secure Nuclos with SSL/TLS – create a Java keystore from certificates, self-signed certificates and verification.
HOW-TO ADMINISTRATOR UPDATED: JUL 2026 APPLIES TO NUCLOS 4.2026.X
On this page
Nuclos can be secured with SSL/TLS. The easiest way is to enable SSL in the installer and provide a ready-made Java keystore there. This page shows how to create and check the keystore.
Starting point: root certificate, optional intermediate certificates and the private key.
cat root.crt chain1.crt chain2.crt > certificate.crt
openssl pkcs12 -export -inkey private.key -in certificate.crt -name certificate_name -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks
Note
It may be necessary to create the keystore directly on the server (not on another machine).
For the launcher the certificate needs a matching subject alternative name and must be added to the launcher's truststore:
keytool -genkey -keyalg RSA -alias localhost -keystore keystore.jks -storepass password -keysize 2048 -ext SAN=dns:localhost,ip:127.0.0.1 -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" keytool -export -alias localhost -file localhost.cer -keystore keystore.jks keytool -import -v -trustcacerts -alias localhost -file localhost.cer -keystore "<path_to_launcher>\cacerts"
keytool -v -list -keystore keystore.jks
Troubleshooting
If the certificate is rejected when accessing the Nuclos address, verifying the keystore helps to check the chain.